If I have to pick just one, the dumbest thing Hacker News believes about security is that phishing is a simplistic attack that only unsophisticated users fall for.
-
-
Replying to @tqbf
I am an engineer working for an anti-phishing security company and I confess I have had some -majorly- close calls from our training simulations. Everyone gets tired, distracted, or careless, not just unsophisticated people.
4 replies 8 retweets 38 likes -
I just hate every person and every email I get equally. It's on brand for me. That said, I agree with the central point: hardcore two factor auth, 100% of the time, everywhere... is the real defense here.
1 reply 1 retweet 11 likes -
Replying to @codinghorror @thenthj
Careful: you need a 2FA scheme that isn’t susceptible to phishing. Authenticator codes and SMS’s are just as easy to phish as passwords.
2 replies 0 retweets 4 likes -
they'd have to be phished in near real time to work. ~2 minute window? I'd say that moves the bar up quite a bit over "valid forever" username/password only
2 replies 0 retweets 3 likes -
Having trouble following what attack you're imagining, once attacker has logged in they get an authentication token that they use for whatever attack you wanted. Stealing money, reading email, whatever. That is not a high bar.
1 reply 0 retweets 2 likes -
Replying to @taviso @codinghorror and
You visit phishsite.php, you're already convinced it's your bank, so you enter your password. That php script submits creds (that is obviously possible in under 2 minutes), and then asks for OTP - you're already convinced it's bank, so you enter it. Where is the bar?
3 replies 0 retweets 8 likes -
oh, you're assuming there is fakebankpage.php server code that is attempting realbankpage.html passthrough login at the actual time of form submission? Possible, unless the login form is captcha'ed
3 replies 0 retweets 0 likes -
Attacker can just proxy whatever captcha necessary to you. Only real solution is U2F. This is a favourite argument of mine, I think SMS 2FA is worthless and needs to die
3 replies 1 retweet 23 likes -
I guess my argument is that it's a process, and moving the bar to auth apps raises that bar. You don't need to outrun the bear, you just need to outrun the people behind you ;) That plus Apple needs a far better nearfield / bluetooth key story
3 replies 0 retweets 2 likes
It's certainly an economics problem for opportunistic attackers, they are rational and don't want to waste money adding support for 2FA users. That will yield 1% more victims for a lot of work...but when 90% users are 2FA users....
-
-
proxying 2fa fields (or captcha) plus running a real headless browser is *FAR* more complex than a simple "present fake form, save entered form data to database" .. like 2 orders of magnitude harder, it is also extremely site specific & brittle if they update login form
2 replies 0 retweets 5 likes - 9 more replies
New conversation -
-
-
Replying to @taviso @codinghorror and
I don't think this argument works for targeted phishing attacks though, if you're vulnerable to phishing, 2FA isn't gonna do much for you.
0 replies 0 retweets 2 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.